July 2010
Yesterday was the second and final day of Black Hat sessions and there were quite a few key topics that we’ve seen before.
Government
As the government continues to work toward implementing cloud solutions, there is continued discussion of cloud security, as well as cyber-warfare. We saw this in full force at RSA 2010, which we discussed in a previous post.
In his Black Hat keynote yesterday, former National Security Agency Director, retired Gen. Michael Hayden, addressed the need to define cyber-warfare since the term is loosely applied to anything relating to crime on the Internet. He explained the military traditionally operated in four domains: ground, air, water and space. Now, there is the introduction of the fifth domain: the Internet, the first man-made location for warfare. A clear definition of cyber-warfare will prove advantageous for us because it will enable the country to better understand what a cyberattack is and, therefore, know how to properly respond.
SSL
One of the biggest speaking points from Day 2 sessions revolved around weaknesses associated with SSL, which were highlighted in a number of sessions yesterday. In one session, two researchers highlighted the ability for hackers to take over a user’s account or take control of a website due to the way browsers implement HTTPS. Additionally, hackers are able to sniff around the edges of the encrypted information, picking up on clues to help them figure out what their targets are doing.
The session essentially highlighted that HTTPS alone will not stop bad things from happening due to the “breadcrumbs” left behind from secure browsing sessions that skilled hackers can easily follow.
Wallpaper
I remember the first time I wanted to change the wallpaper on my computer and my computer teacher (yeah, that’s true) was furious. I found myself, 30 minutes later, with a very basic understanding of the dangers of malicious downloadable content. Although it seems to be more common sense nowadays, downloading images and other content can still be a threat to users who believe they are using a secure application.
Take the mobile Android situation. A wallpaper application is said to be sending personal information from millions of Android users to a “mysterious Chinese website.” The finding was reported at Black Hat this week as part of the App Genome Project, a real-time database designed to keep mobile users safe by identifying security threats and providing insight into how applications tap into personal data.
There is also more discussion of bug bounty programs, malware-infected SEO terms and ATM vulnerabilities.
As a result of the sessions at Black Hat, we’re likely to see continued discussion regarding the importance of (and need for) a definition of cyber-warfare and, as expected, continued advancements in cloud security as more industries turn to the cloud.
Tags:
App Genome Project,
ATM vulnerabilities,
Black Hat,
cloud security,
cyber-warfare,
cyberattack,
cyberwar,
malware,
SEO,
SSL
Posted by Kristin Forte Allaben on July 30, 2010 at 9:48 AM
| TrackBack (0)
The first day of sessions is complete and hackers and security professionals are preparing for the Day 2 sessions. But before we get into what to expect, let’s recap some of the high points from yesterday.
Barnaby Jack’s ATM vulnerability discussion was, as we expected, one of the main highlights from yesterday. His discussion explored some interesting ATM attacks, labeled as dangerous because they affect multiple types of ATMs. Over the course of his presentation, he addressed two types of ATM attacks, one physical and one remote, the latter considered more dangerous because attackers can silently gather account information from anyone who uses the ATM.
The remote attack, which he named “Dillinger,” exploits a vulnerability that exists within the remote monitoring authentication process. Unfortunately, most ATMs made by a certain manufacturer have this authentication process turned on by default. A rootkit can easily be installed once the vulnerability is exploited. For the purpose of his demonstration, Jack installed a rootkit named “Scrooge” enabling the machine to spit out cash.
Additional highlights from yesterday’s speaking sessions include discussion of payment for researchers who identify vulnerabilities. This is a big discussion point for researchers following Tavis Ormandy’s public disclosure of the Microsoft vulnerability not too long ago.
Just like every argument, there are always two sides to the story. Microsoft and Cisco addressed the situation yesterday stating that “bug bounty programs” are not the best strategy for improving internet security. Other panelists, however, explained they thought it was a nice way for a researcher to be rewarded for identifying a vulnerability. Quite frequently, a researcher is offered little more than a “thank you.”
To try to get everyone on the same page, Microsoft created a “coordinated vulnerability disclosure” with the goal of aligning the motives of researchers and vendors. Microsoft also announced its Microsoft Active Protections Program (MAPP) will include vulnerability information sharing from Adobe Systems Inc. to help better protect customers by alerting them to vulnerabilities before Microsoft releases its monthly patches.
Additional highlights from Day 1 sessions include:
With so much of the show’s anticipation met within the first day of speaking sessions, what can expect for Day 2? It is likely we’ll see continued discussion around vulnerability disclosure and Microsoft’s response to bug bounty programs, partnerships and other collaborations to ensure a common goal can be met when it comes to disclosing and fixing a vulnerability, and mobile device security and its impact on the enterprise network.
Check back in tomorrow for a recap of Day 2 sessions.
Tags:
Adobe,
ATM vulnerabilities,
Barnaby Jack,
Black Hat,
enterprise security,
malware,
MAPP,
Microsoft,
SEO,
WEP,
WPA
Posted by Kristin Forte Allaben on July 29, 2010 at 12:05 PM
| TrackBack (0)
Today is the first day of the 2010 Black Hat Conference speaking sessions. Among the line-up of anticipated talks surrounding wireless security (specifically that of WPA2), mobile device security and ATM vulnerabilities, there is a slew of additional sessions that are bound to make some noise.
One of the noise makers is likely to be the session exploring how to intercept cell phone calls. Some interesting rumors of lawsuits caused eyes and ears to turn toward AT&T, but the company cleared the air, saying it will not interfere with the demonstration.
Although often passed up for obtaining credit card information, counterfeit checks are not a thing of the past. Although you may find yourself having flashbacks to the movie “Catch Me If You Can,” a discussion on how Russian hackers obtained images of checks from a number of retailers and other businesses is a high-tech version of the old story. A quick summary: Russian hackers found a way to utilize technology to make this low-tech crime even more dangerous. They have not yet been caught.
There will also be exploration into weaknesses of SSL, used by websites to protect data. One session on this topic will explore how to attack storage mechanisms to tamper with a SSL session. Another SSL presentation will focus on results of a study that analyzed SSL use to document configuration errors, which weakened thousands of websites.
There will also be discussion surrounding web application security, particularly as it applies third-party code, which includes such items as widgets, applications and advertising modules, all of which are very popular on web applications. These applications are meant to provide additional functionality for the user, but security implications across a variety of industries—including healthcare and finance—could result in infected users.
SEO has been a topic of growing importance for many companies over the past few years. With this in mind, it only makes sense that hackers want to jump on the bandwagon and will utilize SEO to push out malware. Taking a look ahead to DefCon, researchers will show just how important SEO has become to the “malware pushers.”
Check back in tomorrow for a recap of the Day 1 sessions and what we can expect for Day 2.
Tags:
ATM vulnerabilities,
Black Hat,
counterfeit checks,
DefCon,
malware,
mobile security,
SEO,
weaknesses of SSL,
web application security,
WPA2
Posted by Kristin Forte Allaben on July 28, 2010 at 9:09 AM
| TrackBack (0)
This year's Black Hat conference is considered to be the most popular to date, and tomorrow marks the first of two days of speaking sessions.
For those of you who participated in the Black Hat Challenge, you are aware that there are many sessions to choose from, and little time to see them all.
One of the most anticipated sessions is the Barnaby Jack ATM scams, which was mentioned in yesterday’s post.
But beyond ATM scams, there is a trend we’re seeing in sessions: mobile security. As I mentioned yesterday, IDC forecasted that the number of mobile workers will exceed one billion by the end of 2010. From a corporate perspective, enterprise network can be open to a number of vulnerabilities stemming from the use of a mobile device. From a consumer perspective, people can fall victim to various malware triggered by bugs in the device. For example, one of the anticipated Black Hat sessions will illustrate to attendees that the A5/1 encryption algorithm used by carriers such as T-Mobile and AT&T is weak and can be easily broken, something spies and security geeks alike have known for some time.
Jeff Moss, founder of Black Hat, explained that for many people, seeing is believing; unless people can literally see what’s possible when it comes to security threats and attacks, they won’t believe it. This specifically applies to corporate decision makers as they need to [visually] understand what is technically possible before they can make informed decisions regarding security.
But what it comes down to is this: no one can predict what the big news will be from Black Hat since there is always a wildcard, as Bob McMillan notes. With so many sessions in the queue and such an array of personalities in the same space, you can never quite tell what the news will be.
Tags:
ATM scams,
Barnaby Jack,
Black Hat,
encryption algorithm,
mobile security,
mobile workforce,
security attack,
security threat
Posted by Kristin Forte Allaben on July 27, 2010 at 11:06 AM
| TrackBack (0)
As speakers and hackers gather in Vegas for the 2010 Black Hat conference, there are many topics on people’s minds.
In much of the pre-show articles, there has been talk about cloud security, a topic that seems to resonate throughout security conferences this year (see previous post on RSA 2010). There is also discussion on wireless security, particularly as it pertains to mobile devices. This is most definitely an area of increasing importance as IDC forecasted that the mobile workforce would exceed one billion by the end of 2010, potentially bringing to light new security implications for enterprise networks.
Most prominently over the last few days has been discussion of the vulnerability within WPA2, currently the strongest form of WiFi encryption and authentication. The vulnerability, identified as “Hole 196," lends itself to man-in-the-middle attacks.
We can also expect to hear about:
It appears, however, that the most highly anticipated session surrounds Barnaby Jack’s research into ATM vulnerabilities. As some may recall, this talk was canceled last year due to pressure from ATM vendors. Similarly, this year, a session entitled “The Chinese Cyber Army: An Archaeological Study from 2001 to 2010” was canceled due to outside pressures.
On a fun note, Black Hat attendees will also be participating in the Pwnie Awards, which recognize extreme excellence and incompetence in the field of information security. Some categories include Best-Server-Side Bug, Best Client-Side Bug, Most Overhyped Bug and Lamest Vendor Response.
For those of you preparing to head out to Vegas later this week for the array of speaking sessions, take the Black Hat Challenge. What one session would you attend?
Tags:
ATM vulnerabilities,
Barnaby Jack,
Black Hat USA 2010,
cloud security,
DNS rebinding,
hackers,
Hole 196,
Microsoft Security Response Center,
mobile workforce,
VPN security
Posted by Kristin Forte Allaben on July 26, 2010 at 9:49 AM
| TrackBack (0)
At some point during Black Hat USA this year, you will inevitably run across an industry colleague, peer, friend or foe and ask them what they've been up to during the week and why you haven't seen them. One answer that you may hear is, "Oh, I was over at B-Sides."
For those of you who are not familiar with "B-Sides", you soon will be. Security B-Sides, as defined by the founders, "is a series of community-driven events built for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening."
Competition is born out of necessity
In it's second year and what is now known as Security B-Sides Las Vegas or BSidesLasVegas, B-Sides was born out of a number of rejections to the Call For Papers (CFP) for Black Hat USA 2009. And as is described on the B-Sides Community Wiki, "A number of quality speakers were rejected, not due to lack of quality, but lack of space and time. Any constrained system must operate within the bounds to which it has defined itself. Conferences constrain themselves to the eight hours a day for however many days they run. Our goal is to provide people with options by removing those barriers and providing more options for speakers, topics, and events."
Security B-Sides points out (scroll down to "What B-Sides Is Not!") that they do not compete with any other event and that, "The goal has and always will be to expand the spectrum of conversation and enable a greater variety of events. Certainly one can take the business perspective and say that any and every security conference competes with each other, but this would ignore the fact that these events are FREE and simply offer people another alternative to everything else."
Make no mistake about it, free or otherwise, Security B-Sides does in fact compete with the conferences that it runs alongside. Maybe the events are not currently competing for dollars and cents, but they are most certainly competing for time and the mind-share of attendees, be it security pros and industry influencers alike, including members of the media.
And while B-Sides was initially based on rejected sessions for Black Hat, one wonders if the time will come (if it has not already), where speakers may actually prefer to present at the B-Sides events as opposed to the other larger, more established conferences that are taking place concurrently.
A bright future ahead for B-Sides
There is no question, as the fledgling player, B-Sides is doing the right thing by downplaying the competitive aspect and snuggling up to its competition. However, just take a look at the infrastructure that B-Sides is building and tell me that they aren't poised to become a true competitor to some of these events. More and more, this continues to look like a brilliant model that the B-Siders have built. Go where the industry will already be. Provide a different, unique and dare I say...better product. The latter remains to be seen over time, but in the meantime, B-Sides appears to be here to stay and they are slowly stealing some of the spotlight from Black Hat and other conferences that they run alongside.
In 1997, Jeff Moss put in motion a vision for Black Hat when he staged the very first Black Hat Briefings. Take a look at what the very first schedule looked like here. There is no question that Black Hat has sure come a long way, adding Black Hat DC, Black Hat Europe, and the now defunct Black Hat Asia (2000-2008) and Black Hat Windows (2001-2004) events. In its fourteenth year, the line-up of speakers and schedule of the Black Hat USA 2010 Briefings is drastically different than it was during its inaugural event.
Will B-Sides become the next power in security conferences and be spoken about along the same lines as Black Hat, RSA or others? Time will tell. In 2009, Security B-Sides embarked upon its journey with their very first event (now known as BSidesLasVegas01). Check back with me in 2022 at BSidesLasVegas14 to see how far along they have come.
In the spirit of our destination next week, I'd wager that we will see great things to come from B-Sides this year and in the future. One thing is sure, the security industry is going to have one heck of a time in the desert next week. Las Vegas, here we come! Share your thoughts and experiences on the B-Sides events and help take this conversation to the next level by adding your comments.
Tags:
B-Sides,
Black Hat USA,
Black Hat USA 2010,
BSidesLasVegas,
Security B-Sides,
security conference
Posted by Tim Whitman on July 23, 2010 at 9:06 AM
| TrackBack (0)
Black Hat USA is upon us and attendees (IT security practitioners, company executives, journalists, analysts, vendors, etc.) are gearing up for their voyage to the desert.
Many folks are beginning to put together their plan of attack for the event and are likely just starting to take a deeper look at the Briefing Session schedule, which is slated to take place on Wednesday, July 28 and Thursday, July 29 at Caesar's Palace in Las Vegas, and are thinking about which sessions to go to.
This is quite the daunting task, as the Black Hat organizers have certainly out done themselves yet again this year by lining up some amazing speakers and content. But is Black Hat hurting itself with too much great content? Here are some quick numbers to digest regarding just the Briefing Sessions portion of the event:
- 2 Days
- 2 keynotes (one each day)
- 10 tracks (not including the "Special Events" track)
- 10 time slots (five each day)
- 100 sessions
So fellow attendees, you have 100 sessions to choose from, but can only pick 10 maximum (one for each time slot). How will you use your time at Black Hat this year? One wonders if a more streamlined approach, like that of CanSecWest, is better for attendees -- where no sessions are competing with one another and attendees aren't faced with making the difficult decision of having to select between great ones and potentially feel as if they missed out and picked the wrong one.
Regardless, the Schwartz Security Practice is looking forward to another very exciting experience at Black Hat USA this year and the Practice will be there in full force. Schwartz Security clients that are presenting sessions this year include: Core Security, Damballa and Qualys, who has three sessions: one, two and three.
Your turn. If you were told that you can only attend ONE session at Black Hat this year, which would it be and why? We look forward to reading your shared thoughts in the comments section. See you in Vegas!
Tags:
audience engagement,
Black Hat,
Black Hat USA,
Black Hat USA 2010,
Conference Speaking,
Core Security,
Damballa,
PR strategy,
PR Tips,
Qualys,
security PR,
security public relations,
security vendors,
Tradeshow Tips
Posted by Tim Whitman on July 20, 2010 at 3:49 PM
Comments (7) | TrackBack (0)
I had an interesting conversation with a CMO last week about how to conceptualize engagement. The basis of this discussion hinges on three major spheres of influence: media, search engines and corporate web sites.
Granted, this is a simplistic view, as it neglects other channels, such as analysts and trade shows. However, we can agree that a public relations program that engages its target audience through media, search engines and a corporate web site will generally be considered successful.
This Venn diagram illustrates these channels. By considering where these spheres of influence intersect, we can deliberately discuss of the best avenues of engagement.
Tags:
audience engagement,
content marketing,
inbound marketing,
PR,
public relations,
thought leadership
Continue reading "Conceptualizing Engagement: The Intersection of Influence" »
Posted by Clinton Karr on July 14, 2010 at 6:41 PM
| TrackBack (0)
It’s hard to believe a full month has passed since the last Wednesday Wrap-Up, but believe it or not, yesterday marked the second Tuesday of the month.
Unlike the “record setting” previous month, there were four patches released to fix five bugs as part of the July 2010 Patch Tuesday, three of which were rated critical.
Here’s the summary of this month’s patches:
- Three of the four patches were rated critical, though the patch ranked important may actually cause some bigger issues in the future. More on that later.
- Two of the patches address flaws in Windows and the other two address flaws in Microsoft Office.
- Google Researcher Tavis Ormandy’s disclosure of a flaw in Microsoft’s Help and Support Center led to some significant disagreement regarding vulnerability disclosure protocol. However, as Ryan Naraine reports, Microsoft issued a critical patch for the flaw in just 33 days, almost half of Microsoft’s typical 60-day response time. This is promising for those who are full-disclosure advocates.
- The bulletin ranked important for Microsoft Office—MS10-045—directly impacts all versions of Microsoft Outlook, excluding Outlook 2010. In this vulnerability, users are unable to determine if an attachment is an executable or not, thus putting users at risk. There exists potential for a large-scale spam attack to occur.
- The July 2010 patches also represent the end of Windows XP SP2 (Service Pack 2) support. Basically, there will be no updates released for Windows XP SP2, along with Windows 2000, after today.
Many of the Patch Tuesday conversations seemed to focus on two specific areas. The first being the vulnerability disclosed by Ormandy a few weeks ago; the second being the end of Windows XP SP2 and Windows 2000 support.
Vulnerability Disclosures
Following Ormandy’s disclosure of the Microsoft Help and Support Center flaw, there has been significant activity in the security realm. Many agree with Ormandy, stating that full disclosure is necessary to move Microsoft along in issuing a fix sooner rather than later. On the other hand, however, many believe this just puts the end-user at greater risk.
Since the disclosure of the vulnerability, a number of malicious exploits emerged, all of which attempted to target the vulnerability, as is reported by Rob Westervelt. Elinor Mills took a deeper look at these malicious exploits as they emerged last month.
Interestingly, there has been little discussion of Microsoft’s relationship with researchers and the emergence of the MSRC. Not the MSRC we’re already familiar with (the Microsoft Security Response Center that is responsible for investigating vulnerabilities), but a new MSRC. Named the Microsoft-Spurned Researcher Collective, this group is composed of anonymous, rogue researchers that have vowed to publicize any Microsoft vulnerabilities instead of quietly reporting them to Microsoft to effectively work on a patch. It will be interesting to see where this leads as researchers immediately publish proof of concept, showing malicious hackers how to exploit vulnerabilities.
The end of Windows XP SP2 and Windows 2000
The end of Windows XP SP2 is a big deal because there are still hundreds of millions users that use this OS. When an upgrade was required of XP from SP1 to SP2, many people went ahead with the upgrade to enhance their security. There were specific benefits offered to upgrading the system. However, the upgrade from SP2 to SP3 appears to be merely for maintenance.
The retired support for XP SP2 users poses the risk of significant security threats since various flaws will only be fixed for SP3. If these flaws remain unfixed in SP2, users could become exposed to serious vulnerabilities. It is only a matter of time before a hacker identifies and takes advantage of a relevant vulnerability.
Additionally, Microsoft has completely retired the Windows 2000 OS line. It has been advised for any users with Windows 2000 to migrate to a new OS, preferably Windows 7.
Although not as record-setting as last month, July’s Patch Tuesday has left many with a call to action, more so than just rebooting your machines. If you are still operating on a Windows XP SP2 OS, take the time to upgrade to SP3. Unfortunately, according to Wolfgang Kandek of Qualys (client), upgrading from XP SP2 to Windows 7 is extremely difficult, and requires some manual work. And, as is always the case, never open an email attachment when you are unfamiliar with the sender.
Check in with us next month for the Wednesday Wrap-Up of August’s Patch Tuesday.
In the meantime, keep an eye out for our thoughts on Black Hat...leading up to the event and at the event itself. Schwartz clients that will be presenting at Black Hat include: Core Security, Damballa and Qualys.
What session or sessions are you most looking forward to attending at Black Hat this year?
Tags:
Microsoft,
Microsoft Outlook,
Patch Tuesday,
spam attack,
Tavis Ormandy,
vulnerabilities,
Windows XP SP2
Posted by Kristin Forte Allaben on at 9:24 AM
| TrackBack (0)
